Initial commit

This commit is contained in:
Peder Bergebakken Sundt 2023-02-24 21:36:30 +01:00
parent a6a0b16300
commit 019c139a5c
16 changed files with 657 additions and 339 deletions

13
cachix.nix Normal file
View File

@ -0,0 +1,13 @@
# WARN: this file will get overwritten by $ cachix use <name>
{ pkgs, lib, ... }:
let
folder = ./cachix;
toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in {
inherit imports;
nix.settings.substituters = ["https://cache.nixos.org/"];
}

View File

@ -0,0 +1,13 @@
{
nix = {
settings = {
substituters = [
"https://cuda-maintainers.cachix.org"
];
trusted-public-keys = [
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
];
};
};
}

View File

@ -6,57 +6,42 @@
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
system.autoUpgrade.enable = true; # daily nixos-rebuild switch, no reboot by default system.autoUpgrade.enable = true; # daily nixos-rebuild switch, no reboot by default
nix.distributedBuilds = true; # TODO: can i make this non-string?
# useful when the builder has a faster internet connection than i do
nix.extraOptions = '' nix.extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
builders-use-substitutes = true
''; '';
nix.buildMachines = [
/**/ # TODO: move to pbsds home
{ programs.ssh.extraConfig = ''
system = "x86_64-linux"; # can be a list Host *.ntnu.no *.pvv.org
hostName = "rocm.pbsds.net"; User pederbs
sshUser = "pbsds"; '';
maxJobs = 2;
speedFactor = 2;
#supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
#mandatoryFeatures = [ ];
}
/**/
/**/
{
system = "x86_64-linux"; # can be a list
hostName = "isvegg.pvv.ntnu.no";
sshUser = "pederbs";
maxJobs = 1;
speedFactor = 1;
#supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
#mandatoryFeatures = [ ];
}
/**/
];
# deduplicate with hardlinks, expensive. Alternative: nix-store --optimise # deduplicate with hardlinks, expensive. Alternative: nix-store --optimise
nix.settings.auto-optimise-store = true; nix.settings.auto-optimise-store = true;
#nix.optimize.automatic = true; # periodic optimization #nix.optimize.automatic = true; # periodic optimization
nix.gc = { nix.gc.automatic = true;
automatic = true; nix.gc.dates = "weekly";
dates = "weekly"; nix.gc.options = "--delete-older-than 30d";
options = "--delete-older-than 30d";
};
# How to override package used by module
# https://github.com/NixOS/nixpkgs/issues/55366
imports = [ imports = [
./hardware-configuration.nix # results of hardware scan ./hardware-configuration.nix # results of hardware scan
./cachix.nix
./profiles/nas # add NAS services ./profiles/nas # add NAS services
./profiles/websites ./profiles/websites
./profiles/code-remote ./profiles/code-remote
./users ./profiles/remote-builders #
./profiles/nfs-reidun # NFS mounts
./profiles/autossh-reverse-tunnels
#./profiles/xrdp
./users
#./users/pbsds # todo: <- make this possible
# How to override package used by module
# https://github.com/NixOS/nixpkgs/issues/55366
# TODO: move to where relevant
<nixos-unstable/nixos/modules/services/misc/jellyfin.nix> <nixos-unstable/nixos/modules/services/misc/jellyfin.nix>
<nixos-unstable/nixos/modules/services/web-apps/invidious.nix> <nixos-unstable/nixos/modules/services/web-apps/invidious.nix>
]; ];
@ -67,17 +52,15 @@
services.jellyfin.package = pkgs.unstable.jellyfin; services.jellyfin.package = pkgs.unstable.jellyfin;
services.invidious.package = pkgs.unstable.invidious; services.invidious.package = pkgs.unstable.invidious;
nixpkgs.overlays = [ # TODO: remove? Move to where relevant
(import ./overlays) nixpkgs.overlays = [ (import ./overlays) ];
];
# Allow unstable packages. # Allow unstable packages.
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
unstable = import <nixos-unstable> { unstable = import <nixos-unstable> {
config = config.nixpkgs.config; config = config.nixpkgs.config;
}; };
# TODO: nur
}; };
# enable opengl (headless) # enable opengl (headless)
@ -85,15 +68,19 @@
#hardware.opengl.extraPackages = [ pkgs.mesa.drivers ]; #hardware.opengl.extraPackages = [ pkgs.mesa.drivers ];
hardware.opengl.extraPackages = with pkgs; [ mesa.drivers vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ]; hardware.opengl.extraPackages = with pkgs; [ mesa.drivers vaapiIntel libvdpau-va-gl vaapiVdpau intel-ocl ];
# run/build weird binaries # run/build weird binaries
boot.binfmt.emulatedSystems = [ boot.binfmt.emulatedSystems = [
"wasm32-wasi" "wasm32-wasi"
"wasm64-wasi"
"x86_64-windows" "x86_64-windows"
"aarch64-linux" "aarch64-linux"
"riscv64-linux" "riscv64-linux"
#"x86_64-darwin"
#"aarch64-darwin"
]; ];
services.thermald.enable = true;
# Bootloader # Bootloader
boot.loader.grub.enable = true; boot.loader.grub.enable = true;
@ -106,6 +93,7 @@
#services.docker.enable = true; #services.docker.enable = true;
virtualisation = { virtualisation = {
podman.enable = true; podman.enable = true;
# TODO: are these default since 22.11?
podman.dockerCompat = true; # alias docker to podman podman.dockerCompat = true; # alias docker to podman
oci-containers.backend = "podman"; oci-containers.backend = "podman";
}; };
@ -117,6 +105,7 @@
# Enable networking # Enable networking
networkmanager.enable = true; networkmanager.enable = true;
#wireless.enable = true; # Enables wireless support via wpa_supplicant. #wireless.enable = true; # Enables wireless support via wpa_supplicant.
#iwd.enable = true
hostName = "noximilien"; # Define your hostname. hostName = "noximilien"; # Define your hostname.
domain = "pbsds.net"; domain = "pbsds.net";
@ -135,78 +124,15 @@
}; };
#useDHCP = true; #useDHCP = true;
# Configure network proxy if necessary
#proxy.default = "http://user:password@proxy:port/";
#proxy.noProxy = "127.0.0.1,localhost,internal.domain";
}; };
# Open ports in the firewall. # firewall
services.fail2ban.enable = true;
networking.firewall.enable = true; # default
#networking.firewall.allowedTCPPorts = [ ... ]; #networking.firewall.allowedTCPPorts = [ ... ];
#networking.firewall.allowedUDPPorts = [ ... ]; #networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false; # default is true, TEMP
# NFS mounts
fileSystems = let
mkMount = mountpoint: server: subdir: {
"${mountpoint}${subdir}" = {
device = "${server}${subdir}";
fsType = "nfs";
#options = [ "nfsvers=4.2" ];
};
};
# TODO: combine nameValuePair and listToAttrs
joinSets = sets: builtins.foldl' (l: r: l // r) {} sets;
in joinSets (
(map (mkMount "/mnt/reidun" "192.168.1.3:/Reidun/shared") [
""
"/Backups"
"/Comics"
"/Downloads"
"/Games"
"/Games/Installable"
"/Games/Portable"
"/Games/ROMs"
"/ISO"
"/Images"
"/Images/Collections"
"/Images/Memes"
"/Images/Pictures"
"/Images/Wallpapers"
"/Music"
"/Music/Albums"
"/Music/Kancolle"
"/Music/OST"
"/Music/Old"
"/Music/Touhou"
"/Music/Vocaloid"
"/Music/dojin.co"
"/Various"
"/Various/Zotero"
"/Various/resilio"
"/Video"
"/Video/Anime"
"/Video/Concerts"
"/Video/Documentaries"
"/Video/Movies"
"/Video/Musicvideos"
"/Video/Series"
"/Video/Talks"
"/Work"
"/Work/Documents"
#"/Work/FL Studio" # broken, maybe due to the space?
"/Work/Programming"
"/Work/School"
"/pub"
]) ++ (map (mkMount "/mnt/meconium" "192.168.1.3:/Meconium" ) [
""
"/beets_music"
])
);
# Time zone and internationalisation properties. # Time zone and internationalisation properties.
@ -223,18 +149,16 @@
LC_TELEPHONE = "nb_NO.utf8"; LC_TELEPHONE = "nb_NO.utf8";
LC_TIME = "nb_NO.utf8"; LC_TIME = "nb_NO.utf8";
}; };
services.xserver = { services.xserver.layout = "no";
# Configure X11 keymap services.xserver.xkbVariant = "";
layout = "no"; console.keyMap = "no";
xkbVariant = "";
};
console.keyMap = "no";# Configure console keymap
# Installed system packages # Installed system packages
# $ nix search FOOBAR # $ nix search FOOBAR
# TODO: prune this, make home-manager deal with the majority
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lsof lsof
lshw lshw
@ -262,6 +186,7 @@
curl curl
wget wget
strace strace
killall
zip zip
unrar unrar
@ -317,6 +242,7 @@
gh gh
hub hub
cachix
nix-output-monitor nix-output-monitor
nix-prefetch nix-prefetch
nix-top nix-top
@ -336,16 +262,12 @@
''; '';
# TODO: make this root only? # TODO: make this root only?
programs.bash.shellAliases = { programs.bash.shellAliases."ed" = "micro"; # TODO: ${EDITOR:-micro}
ed = "micro"; # TODO: ${EDITOR:-micro} environment.variables."EDITOR" = "micro";
};
environment.variables = {
EDITOR = "micro";
};
# TODO: remove? Move?
programs.dconf.enable = true; programs.dconf.enable = true;
# System fonts # System fonts
# Nice to have when X-forwading on headless machines # Nice to have when X-forwading on headless machines
@ -372,110 +294,34 @@
services.openssh.forwardX11 = true; services.openssh.forwardX11 = true;
# AutoSSH reverse tunnels
services.autossh.sessions = let
mkSshSession = user: name: host: rport: monitoringPort: {
user = user; # local user
name = "ssh-reverse-tunnel-${name}-${toString rport}";
monitoringPort = monitoringPort;
extraArguments = lib.concatStringsSep " " [
"-N" # no remote command
"-o ServerAliveInterval=10" # check if still alive
"-o ServerAliveCountMax=3" # check if still alive
"-o ExitOnForwardFailure=yes" # reverse tunnel critical
"-R ${toString rport}:127.0.0.1:22" # reverse tunnel
host
];
};
in [
#(mkSshSession "pbsds" "p7pi" "pi@p7.pbsds.net" 10023 20000) # no mutual signature algorithm
(mkSshSession "pbsds" "pbuntu" "pbsds@pbuntu.pbsds.net -p 23" 10023 20002)
(mkSshSession "pbsds" "hildring" "pederbs@hildring.pvv.ntnu.no" 25775 20004)
];
# auto domain update # auto domain update
# TODO: use the dyndns endpoint + curl instead
/**/
systemd.services.domeneshop-updater = { systemd.services.domeneshop-updater = {
description = "domene.shop domain updater"; description = "domene.shop domain updater";
#after = [ "something?.service" ]; #after = [ "something?.service" ];
#wants = [ "something?.service" ]; #wants = [ "something?.service" ];
serviceConfig = let serviceConfig = let
env = pkgs.python3.withPackages (ps: with ps; [ pkgs.python3Packages.domeneshop httpx toml ]); prog = pkgs.writeShellApplication {
prog = pkgs.writeScript "domain-updater.py" '' name = "domeneshop-dyndns-updater.sh";
#!${env}/bin/python runtimeInputs = with pkgs; [ curl yq ];
from domeneshop import Client text = ''
import os, httpx, pprint, toml test -s /var/lib/secrets/domeneshop.toml || {
>&2 echo "ERROR: /var/lib/secrets/domeneshop.toml not found!"
def get_pub_ip() -> str: exit 1
for endpoint, getter in {
"http://myip.tf": lambda resp: resp.text,
"https://ipinfo.io/json": lambda resp: resp.json()["ip"],
"https://api.ipify.org": lambda resp: resp.text,
"http://ip.42.pl/raw": lambda resp: resp.text,
}.items():
resp = httpx.get(endpoint)
if not resp.is_success: continue
try:
return resp.json()["ip"]
except:
pass
else:
raise Exception("Could not find external IP")
# https://www.domeneshop.no/admin?view=api
with open("/var/lib/secrets/domeneshop.toml") as f:
c = toml.load(f)
DOMENESHOP_TOKEN = os.environ.get("DOMENESHOP_TOKEN", c["secrets"]["DOMENESHOP_TOKEN"])
DOMENESHOP_SECRET = os.environ.get("DOMENESHOP_SECRET", c["secrets"]["DOMENESHOP_SECRET"])
IP_ADDRESS = get_pub_ip() # TODO: both ipv4 and ipv6
DOMAINS = {
"pbsds.net": {
"olavtr": ["A"],
},
} }
DOMENESHOP_TOKEN="$(tomlq .secrets.DOMENESHOP_TOKEN /var/lib/secrets/domeneshop.toml --raw-output)"
client = Client(DOMENESHOP_TOKEN, DOMENESHOP_SECRET) DOMENESHOP_SECRET="$(tomlq .secrets.DOMENESHOP_SECRET /var/lib/secrets/domeneshop.toml --raw-output)"
for domain in client.get_domains(): curl https://"$DOMENESHOP_TOKEN":"$DOMENESHOP_SECRET"@api.domeneshop.no/v0/dyndns/update?hostname=olavtr.pbsds.net
if domain["domain"] not in DOMAINS:
continue
RECORDS = DOMAINS[domain["domain"]]
for record in client.get_records(domain["id"]):
if record["host"] in RECORDS \
and record["type"] in RECORDS[record["host"]]:
print("Found: ", end="")
pprint.pprint(record)
if record["data"] != IP_ADDRESS:
record["data"] = IP_ADDRESS
print("Push: ", end="")
pprint.pprint(record)
client.modify_record(domain_id=domain["id"], record_id=record.pop("id"), record=record)
else:
print("Nothing done")
RECORDS[record["host"]].remove(record["type"])
for k, v in list(RECORDS.items()):
if not v: RECORDS.pop(k)
if not RECORDS: DOMAINS.pop(domain["domain"])
if DOMAINS:
print("ERROR: The following records were not found:")
pprint.pprint(DOMAINS)
exit(1)
else:
print("Success")
''; '';
};
in { in {
User = "domeneshop"; User = "domeneshop";
Group = "domeneshop"; Group = "domeneshop";
DynamicUser = true; DynamicUser = true;
ExecStart = prog; ExecStart = "${prog}/bin/domeneshop-dyndns-updater.sh";
PrivateTmp = true; PrivateTmp = true;
}; };
}; };
systemd.timers.domeneshop-updater = let interval = "1d"; in { systemd.timers.domeneshop-updater = let interval = "5h"; in {
description = "Update domene.shop every ${interval}"; description = "Update domene.shop every ${interval}";
wantedBy = [ "timers.target" ]; wantedBy = [ "timers.target" ];
timerConfig = { timerConfig = {
@ -484,7 +330,6 @@
Unit = "domeneshop-updater.service"; Unit = "domeneshop-updater.service";
}; };
}; };
/**/
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
@ -493,6 +338,7 @@
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "22.05"; # Did you read the comment? system.stateVersion = "22.11"; # Did you read the comment?
#system.stateVersion = "22.05"; # Did you read the comment?
} }

View File

@ -0,0 +1,33 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/fa5f2e24-ab42-4a5f-bf8c-be699b980457";
fsType = "ext4";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/5b00f5ca-f7a8-4a69-a93b-8e68d9e369e7"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

View File

@ -1,47 +1,46 @@
# https://nixos.wiki/wiki/Overlays # https://nixos.wiki/wiki/Overlays
self: super: # final: prev:
let let
# WARNING: this works for nixos-rebuild, but not for the nix-build trick shown on the bottom # WARNING: this works for nixos-rebuild, but not for the nix-build trick shown on the bottom
testing = import (fetchTarball { #testing = import (fetchTarball {
name = "pr-180823"; # name = "pr-180823";
url = "https://github.com/r-ryantm/nixpkgs/archive/cfe56470cb641985d43adba690d5bca5453110fe.tar.gz"; # url = "https://github.com/r-ryantm/nixpkgs/archive/cfe56470cb641985d43adba690d5bca5453110fe.tar.gz";
sha256 = "0rbncjp2a99l6i4z7w2m86l40m33b3dl9qficfny47kqcfpgyx0b"; # sha256 = "0rbncjp2a99l6i4z7w2m86l40m33b3dl9qficfny47kqcfpgyx0b";
}) { #}) {
#config = super.config; # #config = prev.config;
}; #};
overridePythonPackages = old: { overridePythonPackages = old: {
overrides = self: super: { overrides = final: prev: {
pdoc = self.callPackage /home/pbsds/repos/nixpkgs-pdoc/pkgs/development/python-modules/pdoc {}; #pdoc = final.callPackage /home/pbsds/repos/nixpkgs-pdoc/pkgs/development/python-modules/pdoc { };
domeneshop = self.callPackage /home/pbsds/repos/nixpkgs-domemeshop/pkgs/development/python-modules/domeneshop {}; #domeneshop = final.callPackage /home/pbsds/repos/nixpkgs-domemeshop/pkgs/development/python-modules/domeneshop { };
shap = self.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/shap {}; #shap = final.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/shap { };
catboost = self.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/catboost {}; #catboost = final.callPackage /home/pbsds/repos/nixpkgs-catboost/pkgs/development/python-modules/catboost { };
analytics-python = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/analytics-python {}; analytics-python = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/analytics-python { };
ffmpy = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/ffmpy {}; ffmpy = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/ffmpy { };
markdown-it-py = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/markdown-it-py {}; markdown-it-py = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/markdown-it-py { };
gradio = self.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/gradio {}; gradio = final.callPackage /home/pbsds/repos/nixpkgs-gradio/pkgs/development/python-modules/gradio { };
trivial-gradios = self.callPackage ./trivial-gradios {}; trivial-gradios = final.callPackage ./trivial-gradios { };
}; };
}; };
in { # "final" and "prev" in final: prev: {
#kukkee = super.callPackage ./kukkee {}; #kukkee = prev.callPackage ./kukkee { };
#rallly = super.callPackage ./rallly {}; #rallly = prev.callPackage ./rallly { };
#inherit (testing) polaris polaris-web; #polaris = prev.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris { };
polaris = super.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris {}; #polaris-web = prev.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris/web.nix { };
polaris-web = super.callPackage /home/pbsds/repos/nixpkgs-polaris/pkgs/servers/polaris/web.nix {};
mapcrafter = super.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix {}; mapcrafter = prev.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix { };
mapcrafter-world112 = super.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix {world="world112";}; mapcrafter-world112 = prev.callPackage /home/pbsds/repos/nixpkgs-mapcrafter/pkgs/tools/games/minecraft/mapcrafter/default.nix { world="world112"; };
#python3.pkgs = super.python3.pkgs.override overridePythonPackages; #python3.pkgs = prev.python3.pkgs.override overridePythonPackages;
python3Packages = super.python3Packages.override overridePythonPackages; python3Packages = prev.python3Packages.override overridePythonPackages;
} }

View File

@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }:
{
# AutoSSH reverse tunnels
services.autossh.sessions = let
mkSshSession = {user, name, host, rport, monitoringPort}: {
user = user; # local user
name = "ssh-reverse-tunnel-${name}-${toString rport}";
monitoringPort = monitoringPort;
extraArguments = lib.concatStringsSep " " [
"-N" # no remote command
"-o ServerAliveInterval=10" # check if still alive
"-o ServerAliveCountMax=3" # check if still alive
"-o ExitOnForwardFailure=yes" # reverse tunnel critical
"-R ${toString rport}:127.0.0.1:22" # reverse tunnel
host
];
};
in [
#(mkSshSession {user="root"; name="p7rpi"; host="pi@p7.pbsds.net"; rport=10023; monitoringPort=20000; }) # no mutual signature algorithm
(mkSshSession {user="root"; name="pbuntu"; host="pbsds@pbuntu.pbsds.net -p 23"; rport=10023; monitoringPort=20002; })
(mkSshSession {user="root"; name="hildring"; host="pederbs@hildring.pvv.ntnu.no"; rport=25775; monitoringPort=20004; })
];
programs.ssh.knownHosts = {
# fetch with `ssh-keyscan`
"[pbuntu.pbsds.net]:23".publicKey
= "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFiAq96DANRP90fBTknL9VagN0HB8O+S6qD17iC8caE3uZ6Wq5a3gpCr/s0T/Cbf8exNYn3zpdLUUUSngN6gMeA=";
"p7.pbsds.net".publicKey
= "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMn1GtMCK2T3LoSfwer0VKCTDO2DHYcf7L41YmWda4fObMZk1VJtjV7wn7EsYkpbHUwkeZCd9DcOb7aYwr0OHLU=";
"hildring.pvv.ntnu.no".publicKey
= "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
};
#programs.ssh.extraConfig = ''
#'';
}

View File

@ -1,14 +1,24 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
# TODO:
# * [ ] fix network sandboxing, so the container cant access localhost services on host
# * [ ] automatically pull the repo on boot, do i need keys for that?
# * [ ] generate a ssh key if not existing
# * [ ] attempt to pull, otherwise print the ssh-pubkey
# * [ ] Make vscode default to our repo
# * [ ] customize the shit out of vscode
let let
domain = "${config.networking.hostName}.${config.networking.domain}"; domain = "${config.networking.hostName}.${config.networking.domain}";
mkDomain = subname: "${subname}.${domain}"; mkDomain = subname: "${subname}.${domain}";
cnt = config.containers.code-server-theo.config; container-name = "code-server-pandoc";
cnt = config.containers.${container-name}.config;
in { in {
networking.nat = { networking.nat = {
enable = true; enable = true;
internalInterfaces = ["ve-+"]; internalInterfaces = ["ve-+"];
externalInterface = "eno1"; # TODO: can i make this dynamic? externalInterface = "eno1"; # TODO: can i make this automatic?
#enableIPv6 = true;
}; };
#imports = [ #imports = [
@ -18,12 +28,11 @@ in {
# "virtualisation/nixos-containers.nix" # "virtualisation/nixos-containers.nix"
#]; #];
# data can be destroyed with `nixos-container destroy code-server-theo` # data can be destroyed with `nixos-container destroy code-server-pandoc`
containers.code-server-theo = { containers.${container-name} = {
autoStart = true; autoStart = true;
# container has no network access # container has no network access
#
privateNetwork = true; privateNetwork = true;
hostAddress = "10.240.100.2"; hostAddress = "10.240.100.2";
localAddress = "10.240.100.3"; localAddress = "10.240.100.3";
@ -41,7 +50,7 @@ in {
# hostPath = "/var/lib/code-server"; # hostPath = "/var/lib/code-server";
# isReadOnly = false; # isReadOnly = false;
#}; #};
config = { config, pkgs, ... }: { config = { config, pkgs, lib, ... }: {
system.stateVersion = "22.05"; system.stateVersion = "22.05";
#imports = [ <home-manager/nixos> ]; #imports = [ <home-manager/nixos> ];
@ -49,23 +58,54 @@ in {
#home-manager.useGlobalPkgs = true; # brrr #home-manager.useGlobalPkgs = true; # brrr
#home-manager.users.${config.services.code-server.user} = { pkgs, config, ... }: { #home-manager.users.${config.services.code-server.user} = { pkgs, config, ... }: {
# programs.git.enable = true; # programs.git.enable = true;
# programs.git.userName = "Theoharis Theoharis"; # programs.git.userName = "Noximilien code-server";
# programs.git.userEmail = "theotheo@ntnu.no"; # programs.git.userEmail = "theotheo@ntnu.no";
#}; #};
systemd.services.initial-setup = {
wantedBy = [ "multi-user.target" ];
# TODO: run as the correct user
serviceConfig.User = config.services.code-server.user;
serviceConfig.Group = config.services.code-server.group;
# TODO: make the ssh key comment automatic
script = ''
test -s "$HOME/.ssh/id_rsa.pub" || {
mkdir "$HOME/.ssh"
echo "" | ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -a 100 -C "code-server@noximilien" -f "$HOME/.ssh/id_ed25519"
echo
echo "You pubkey is:"
cat "$HOME/.ssh/id_ed25519.pub"
echo
exit
}
#${pkgs.curl}/bin/curl "https://github.com/pbsds.keys" | grep "$(cat $HOME/.ssh/id_ed25519.pub | cut -d" " -f-2)"
test -d "$HOME/repos/papers" || {
mkdir -p "$HOME/repos"
${pkgs.git}/bin/git clone git@github.com:pbsds/papers.git
}
'';
};
services.code-server = { services.code-server = {
enable = true; enable = true;
host = "0.0.0.0"; # container host = "0.0.0.0"; # container
port = 53754; port = 53754;
# if you don't care about security: https://argon2.online/ #user = "code-server";
hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg"; #group = "code.server";
# a nice tool if you don't care about security: https://argon2.online/
hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg"; # hunter2
package = pkgs.vscode-with-extensions.override { package = pkgs.vscode-with-extensions.override {
vscode = pkgs.code-server.overrideAttrs (old: { vscode = pkgs.code-server.overrideAttrs (old: {
# vscode-with-extensions compatibility
# https://github.com/NixOS/nixpkgs/pull/192889
passthru.executableName = "code-server"; passthru.executableName = "code-server";
passthru.longName = "Visual Studio Code Server"; passthru.longName = "Visual Studio Code Server";
}); });
#vscodeExtensions = vscode-extensions; [ #vscodeExtensions = with (import <nixos-unstable> {}).vscode-extensions; [
vscodeExtensions = with (import <nixos-unstable> {}).vscode-extensions; [ vscodeExtensions = with pkgs.vscode-extensions; [
shd101wyy.markdown-preview-enhanced shd101wyy.markdown-preview-enhanced
sanaajani.taskrunnercode sanaajani.taskrunnercode
tomoki1207.pdf tomoki1207.pdf
@ -115,6 +155,7 @@ in {
]; ];
}; };
extraPackages = with pkgs; [ extraPackages = with pkgs; [
# based on https://github.com/pbsds/papers/blob/main/shell.nix
(writeShellScriptBin "pandoc" '' (writeShellScriptBin "pandoc" ''
export XDG_DATA_HOME=${pandoc-lua-filters}/share export XDG_DATA_HOME=${pandoc-lua-filters}/share
exec ${pandoc}/bin/pandoc "$@" exec ${pandoc}/bin/pandoc "$@"
@ -136,11 +177,26 @@ in {
; ;
}) })
(python310.withPackages (ps: with ps; [
python-lsp-server
numpy
matplotlib
imageio
#(callPackage ./nix-modules/pytikz.nix { })
#(callPackage ./nix-modules/pyrender.nix { })
]))
pandoc-imagine pandoc-imagine
haskellPackages.pandoc-crossref haskellPackages.pandoc-crossref
#haskellPackages.pandoc-plot #haskellPackages.pandoc-plot
#pandoc-plantuml-filter nodePackages.mermaid-cli #pandoc-plantuml-filter nodePackages.mermaid-cli
# tikz stuff
imagemagick
drawio-headless
openscad
#curv
bash bash
git git
bat bat
@ -148,13 +204,6 @@ in {
boxes boxes
graphviz graphviz
#python3Packages.cairosvg #python3Packages.cairosvg
(python3.withPackages (ps: with ps; [
numpy
matplotlib
#python-lsp-server
]))
]; ];
}; };
@ -165,6 +214,8 @@ in {
]; ];
}; };
# Manually configure nameserver. Using resolved inside the container seems to fail currently
#environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
}; };
}; };
@ -174,10 +225,9 @@ in {
locations."/" = { locations."/" = {
#proxyPass = "http://127.0.0.1:${toString cnt.services.code-server.port}"; #proxyPass = "http://127.0.0.1:${toString cnt.services.code-server.port}";
#proxyPass = "http://10.240.100.3:${toString cnt.services.code-server.port}"; #proxyPass = "http://10.240.100.3:${toString cnt.services.code-server.port}";
proxyPass = "http://${config.containers.code-server-theo.localAddress}:${toString cnt.services.code-server.port}"; proxyPass = "http://${config.containers.${container-name}.localAddress}:${toString cnt.services.code-server.port}";
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
} }

View File

@ -0,0 +1,113 @@
{ config, pkgs, lib, ... }:
let
domain = "${config.networking.hostName}.${config.networking.domain}";
mkDomain = subname: "${subname}.${domain}";
cnt = config.containers.vscode-remote-test.config;
in {
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "eno1"; # TODO: can i make this dynamic?
};
#imports = [
# "/home/pbsds/repos/nixpkgs-trees/containers-mkdir/nixos/modules/virtualisation/nixos-containers.nix"
#];
#disabledModules = [
# "virtualisation/nixos-containers.nix"
#];
containers.vscode-remote-test = {
autoStart = true;
privateNetwork = true;
hostAddress = "10.240.100.2";
localAddress = "10.240.100.3";
#bindMounts."/home" = {
# hostPath = "/var/lib/code-server";
# isReadOnly = false;
#};
config = { config, pkgs, ... }: {
system.stateVersion = "22.05";
imports = [ <home-manager/nixos> ];
home-manager.useUserPackages = true; # install to /etc instead of ~/.nix-profile, needed for containers
home-manager.useGlobalPkgs = true; # brrr
home-manager.users.${config.services.code-server.user} = { pkgs, config, ... }: {
programs.git.enable = true;
programs.git.userName = "Theoharis Theoharis";
programs.git.userEmail = "theotheo@ntnu.no";
programs.vscode.extensions = with pkgs.vscode-extensions; [
shd101wyy.markdown-preview-enhanced
sanaajani.taskrunnercode
tomoki1207.pdf
];
};
services.code-server = {
enable = true;
port = 53754;
# if you don't care about security: https://argon2.online/
hashedPassword = "$argon2i$v=19$m=16,t=2,p=1$MHh5UGNtU1lWR1UySnhIZw$ITg8U7Gq2CXByuOOnrKVUg";
extraPackages = with pkgs; [
(writeShellScriptBin "pandoc" ''
export XDG_DATA_HOME=${pandoc-lua-filters}/share
exec ${pandoc}/bin/pandoc "$@"
'')
(texlive.combine {
inherit (texlive)
scheme-small
titlesec
fontaxes
supertabular
xtab
# boxed quotes
mdframed
zref
needspace
soul
atkinson
;})
pandoc-imagine
haskellPackages.pandoc-crossref
#haskellPackages.pandoc-plot
#pandoc-plantuml-filter nodePackages.mermaid-cli
bash
bat
gnumake
boxes
graphviz
#python3Packages.cairosvg
(python3.withPackages (ps: with ps; [
numpy
matplotlib
#python-lsp-server
]))
];
};
#networking.firewall = {
# enable = true;
# allowedTCPPorts = [ 80 ];
#};
};
};
services.nginx.virtualHosts.${mkDomain "code-remote"} = {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
#proxyPass = "http://127.0.0.1:${toString cnt.services.code-server.port}";
proxyPass = "http://10.240.100.3:${toString cnt.services.code-server.port}";
proxyWebsockets = true;
};
};
}

View File

@ -16,10 +16,20 @@ in
with builtins; { with builtins; {
imports = [ imports = [
./modules/webhook.nix
#./modules/kukkee.nix #./modules/kukkee.nix
<nixos-unstable/nixos/modules/services/misc/polaris.nix>
#/home/pbsds/repos/nixpkgs-polaris/nixos/modules/services/misc/polaris.nix #<nixos-unstable/nixos/modules/services/misc/polaris.nix>
#/home/pbsds/repos/nixpkgs-trees/polaris/nixos/modules/services/misc/polaris.nix
/home/pbsds/repos/nixpkgs/polaris-14/nixos/modules/services/misc/polaris.nix
];
disabledModules = [
"services/misc/polaris.nix"
];
nixpkgs.overlays = [
(final: prev: {
polaris = prev.callPackage /home/pbsds/repos/nixpkgs/polaris-14/pkgs/servers/polaris { };
polaris-web = prev.callPackage /home/pbsds/repos/nixpkgs/polaris-14/pkgs/servers/polaris/web.nix { };
})
]; ];
@ -46,6 +56,7 @@ with builtins; {
services.nginx.enable = true; services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Website tunnel # Website tunnel
@ -219,12 +230,12 @@ with builtins; {
services.grafana = rec { services.grafana = rec {
#enable = true; #enable = true;
#addr = "127.0.0.1"; #addr = "127.0.0.1";
addr = "0.0.0.0"; settings.server.http_addr = "0.0.0.0";
port = 3000; settings.server.http_port = 3000;
domain = mkDomain "grafana"; settings.server.domain = mkDomain "grafana";
#rootUrl = "https://${domain}/grafana/"; # Not needed if it is `https://your.domain/` #rootUrl = "https://${domain}/grafana/"; # Not needed if it is `https://your.domain/`
}; };
services.nginx.virtualHosts."${config.services.grafana.domain}" = lib.mkIf config.services.grafana.enable { services.nginx.virtualHosts."${config.services.grafana.settings.server.domain}" = lib.mkIf config.services.grafana.enable {
forceSSL = true; # addSSL = true; forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain; enableACME = true; #useACMEHost = acmeDomain;
#locations."/grafana/" = { #locations."/grafana/" = {
@ -258,7 +269,8 @@ with builtins; {
# Cryptpad # Cryptpad
# A collaborative office suite that is end-to-end encrypted and open-source. # A collaborative office suite that is end-to-end encrypted and open-source.
# TODO: https://github.com/NixOS/nixpkgs/pull/180066
/*
services.cryptpad = { services.cryptpad = {
#enable = true; # current node version used is marked insecure #enable = true; # current node version used is marked insecure
# reference: https://github.com/xwiki-labs/cryptpad/blob/main/config/config.example.js # reference: https://github.com/xwiki-labs/cryptpad/blob/main/config/config.example.js
@ -305,7 +317,7 @@ with builtins; {
proxyWebsockets = true; proxyWebsockets = true;
}; };
}; };
*/
# Jellyfin # Jellyfin
@ -320,12 +332,14 @@ with builtins; {
openFirewall = false; # I do it manually below: openFirewall = false; # I do it manually below:
# TODO: configure initial collections and extensions # TODO: configure initial collections and extensions
}; };
# firewall # firewall - not needed?
networking.firewall = lib.mkIf config.service.jellyfin.enable { /*
networking.firewall = lib.mkIf config.services.jellyfin.enable {
# TODO: does this overwrite rules set by other stuff? should i use ++ ? # TODO: does this overwrite rules set by other stuff? should i use ++ ?
#allowedTCPPorts = [ 8096 8920 ]; #allowedTCPPorts = [ 8096 8920 ];
allowedUDPPorts = [ 1900 7359 ]; # TODO: Only if behind a NAT? allowedUDPPorts = [ 1900 7359 ]; # TODO: Only if behind a NAT?
}; };
*/
services.nginx.virtualHosts.${mkDomain "jellyfin"} = lib.mkIf config.services.jellyfin.enable { services.nginx.virtualHosts.${mkDomain "jellyfin"} = lib.mkIf config.services.jellyfin.enable {
forceSSL = true; # addSSL = true; forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain; enableACME = true; #useACMEHost = acmeDomain;
@ -335,6 +349,7 @@ with builtins; {
}; };
}; };
# Hardware acceleration # Hardware acceleration
# https://nixos.wiki/wiki/Jellyfin
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; }; vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
}; };
@ -345,6 +360,7 @@ with builtins; {
vaapiIntel vaapiIntel
vaapiVdpau vaapiVdpau
libvdpau-va-gl libvdpau-va-gl
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
]; ];
}; };
# Allow Jellyfin access to VAAPI # Allow Jellyfin access to VAAPI
@ -392,20 +408,20 @@ with builtins; {
#user = "pbsds"; #user = "pbsds";
#group = "users"; #group = "users";
port = 7890; port = 7890;
package = pkgs.unstable.polaris; # instead of my overlay, TODO: move that overlay here #package = pkgs.unstable.polaris; # instead of my overlay, TODO: move that overlay here
settings = { settings = {
settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800, i.e. hourly settings.reindex_every_n_seconds = 7*24*60*60; # weekly, default is 1800, i.e. hourly
settings.album_art_pattern = settings.album_art_pattern =
"([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)"; "([Cc]over|COVER|[Ff]older|FOLDER|[Ff]ront|FRONT)\.(jpeg|JPEG|jpg|JPG|png|PNG|bmp|BMP|gif|GIF)";
#"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)"; #"(?i)(cover|folder|front)\.(jpeg|jpg|png|bmp|gif)";
mount_dirs = [ mount_dirs = [
{ source = "/mnt/reidun/Music/Albums"; name = "Albums"; } { name = "Albums"; source = "/mnt/reidun/Music/Albums"; }
{ source = "/mnt/reidun/Music/dojin.co"; name = "dojin.co"; } { name = "dojin.co"; source = "/mnt/reidun/Music/dojin.co"; }
{ source = "/mnt/reidun/Music/Vocaloid"; name = "Vocaloid"; } { name = "Vocaloid"; source = "/mnt/reidun/Music/Vocaloid"; }
{ source = "/mnt/reidun/Music/Touhou"; name = "Touhou"; } { name = "Touhou"; source = "/mnt/reidun/Music/Touhou"; }
{ source = "/mnt/reidun/Music/OST"; name = "OST"; } { name = "OST"; source = "/mnt/reidun/Music/OST"; }
{ source = "/mnt/reidun/Music/Kancolle"; name = "Kancolle"; } { name = "Kancolle"; source = "/mnt/reidun/Music/Kancolle"; }
{ source = "/mnt/reidun/Downloads/music"; name = "Downloads"; } { name = "Downloads"; source = "/mnt/reidun/Downloads/music"; }
]; ];
}; };
}; };
@ -580,42 +596,12 @@ with builtins; {
}; };
# Webhook
# incoming webhook server that executes shell commands
/**/
services.webhook = {
enable = true;
#listenHost = "0.0.0.0"; # default is "127.0.0.1"
listenPort = 7777; # default is 8080
urlPrefix = "spismeg"; # default is "hooks"
#httpMethods = [ "GET" "POST" ]; # default is [ "POST" ]
settings = [
{
id = "webhook-id";
execute-command = pkgs.writeShellScript "webhook-handler.sh" ''
echo foobar;
'';
}
];
};
services.nginx.virtualHosts.${mkDomain "webhook"} = lib.mkIf config.services.webhook.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.webhook.listenPort}";
proxyWebsockets = true;
};
};
/**/
# Gitea # Gitea
# Git with a cup of tea # Git with a cup of tea
services.gitea = rec { services.gitea = rec {
enable = true; enable = true;
disableRegistration = true; # disable after initial deploy settings.service.DISABLE_REGISTRATION = true; # disable after initial deploy
#https://docs.gitea.io/en-us/config-cheat-sheet/ #https://docs.gitea.io/en-us/config-cheat-sheet/
#settings = { #settings = {
# "cron.sync_external_users" = { # "cron.sync_external_users" = {
@ -645,7 +631,7 @@ with builtins; {
httpAddress = "127.0.0.1"; # default is "0.0.0.0" httpAddress = "127.0.0.1"; # default is "0.0.0.0"
#extraConfig #extraConfig
#database.type # default is "sqlite3" #database.type # default is "sqlite3"
cookieSecure = true; # default is false, only send cookies over https settings.session.COOKIE_SECURE = true; # default is false, only send cookies over https
#stateDir # default is "/var/lib/gitea" #stateDir # default is "/var/lib/gitea"
#mailerPasswordFile # Path to a file containing the SMTP password #mailerPasswordFile # Path to a file containing the SMTP password
#repositoryRoot # default is "${config.services.gitea.stateDir}/repositories" #repositoryRoot # default is "${config.services.gitea.stateDir}/repositories"
@ -1098,19 +1084,19 @@ with builtins; {
services.hedgedoc = { services.hedgedoc = {
#enable = true; # FIXME: make it load #enable = true; # FIXME: make it load
configuration.host = "127.0.0.1"; settings.host = "127.0.0.1";
configuration.port = 44776; settings.port = 44776;
configuration.db.dialect = "sqlite"; settings.db.dialect = "sqlite";
configuration.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite"; settings.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite";
configuration.domain = mkDomain "hedgedoc"; settings.domain = mkDomain "hedgedoc";
configuration.allowAnonymous = true; settings.allowAnonymous = true;
configuration.allowEmailRegister = false; # default is true settings.allowEmailRegister = false; # default is true
configuration.allowAnonymousEdits = false; # default is false settings.allowAnonymousEdits = false; # default is false
configuration.protocolUseSSL = true; # https prefix settings.protocolUseSSL = true; # https prefix
configuration.useSSL = false; # nginx terminates ssl settings.useSSL = false; # nginx terminates ssl
#configuration.csp = {TODO}; # content security policy #settings.csp = {TODO}; # content security policy
#configuration.useCDN = true; #settings.useCDN = true;
#configuration.debug = true; #settings.debug = true;
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc. # there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
# there are also auth options, like ldap, saml and oauth2 # there are also auth options, like ldap, saml and oauth2
}; };
@ -1118,7 +1104,7 @@ with builtins; {
forceSSL = true; # addSSL = true; forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain; enableACME = true; #useACMEHost = acmeDomain;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}"; proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
proxyWebsockets = true; proxyWebsockets = true;
# TODO: proxy headers: # TODO: proxy headers:
# https://docs.hedgedoc.org/guides/reverse-proxy/ # https://docs.hedgedoc.org/guides/reverse-proxy/
@ -1186,6 +1172,7 @@ with builtins; {
}; };
# vaultwarden # vaultwarden
# Unofficial Bitwarden compatible server written in Rust # Unofficial Bitwarden compatible server written in Rust

View File

@ -0,0 +1,62 @@
{ config, pkgs, lib, ... }:
{
fileSystems = let
mkMount = mountpoint: server: subdir: {
"${mountpoint}${subdir}" = {
device = "${server}${subdir}";
fsType = "nfs";
#options = [ "nfsvers=4.2" ];
};
};
# TODO: combine nameValuePair and listToAttrs
joinSets = sets: builtins.foldl' (l: r: l // r) {} sets;
in joinSets (
(map (mkMount "/mnt/reidun" "192.168.1.3:/Reidun/shared") [
""
"/Backups"
"/Comics"
"/Downloads"
"/Games"
"/Games/Installable"
"/Games/Portable"
"/Games/ROMs"
"/ISO"
"/Images"
"/Images/Collections"
"/Images/Memes"
"/Images/Pictures"
"/Images/Wallpapers"
"/Music"
"/Music/Albums"
"/Music/Kancolle"
"/Music/OST"
"/Music/Old"
"/Music/Touhou"
"/Music/Vocaloid"
"/Music/dojin.co"
"/Various"
"/Various/Zotero"
"/Various/resilio"
"/Video"
"/Video/Anime"
"/Video/Concerts"
"/Video/Documentaries"
"/Video/Movies"
"/Video/Musicvideos"
"/Video/Series"
"/Video/Talks"
"/Work"
"/Work/Documents"
#"/Work/FL Studio" # broken, maybe due to the space?
"/Work/Programming"
"/Work/School"
"/pub"
]) ++ (map (mkMount "/mnt/meconium" "192.168.1.3:/Meconium" ) [
""
"/beets_music"
])
);
}

View File

@ -0,0 +1,94 @@
{ config, pkgs, lib, ... }:
let
#supportedFeatures:
# - "kvm" - has hypervisor
# - "nixos-test" - the same as ^? nixos?
# - "benchmark" - has "equal" performance
# - "big-parallel" - is beefy, for stuff like llvm
# TODO: get a binfmt-misc host for cross stuff
# add noximilien, filter (hostName != fqdn)
remotes = [
/**/
{
systems = ["x86_64-linux"];
hostName = "rocm.pbsds.net";
sshUser = "pbsds";
maxJobs = 8;
#maxJobs = 4;
#maxJobs = 1; # at least for big-parallel
speedFactor = 2;
supportedFeatures = [ "kvm" "big-parallel" ];
#supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
#mandatoryFeatures = [ ];
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGDuWdqEQ5mmVjuKi6f/Q2PFxuqB3URpgTHid06Vw7we";
proxy.user="pederbs";
proxy.host="isvegg.pvv.ntnu.no";
proxy.publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
}
/**/
{
systems = ["x86_64-linux"];
hostName = "isvegg.pvv.ntnu.no";
sshUser = "pederbs";
maxJobs = 1;
speedFactor = 0;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGurF7rdnrDP/VgIK2Tx38of+bX/QGCGL+alrWnZ1Ca5llGneMulUt1RB9xZzNLHiaWIE+HOP0i4spEaeZhilfU=";
}
{
systems = ["x86_64-linux"];
hostName = "eirin.pvv.ntnu.no";
sshUser = "pederbs";
maxJobs = 2;
speedFactor = 0;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBILGULKEzYe5kPorM0rWATv10qq6debfCuYUYqw3HWZm4Y5Pi7mVKcf8lKFNPc1DxT/dStfxxtHj/2fbezaxElk=";
}
{
systems = ["x86_64-linux"];
hostName = "demiurgen.pvv.ntnu.no";
sshUser = "pederbs";
maxJobs = 2;
speedFactor = 0;
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKw92q3eB5HZbKJN3p+80MtirqcXPu01USE9LnoGYJuDvko1udjIy4UR0wAwELqgs+r7mJyuQPeXmOZKwjHP6tM=";
}
/**/
];
mkRemoteConfig = {
publicKey,# fetch it with `ssh-keyscan`
proxy ? null, # schema: { user, host, publicKey }
... # the rest follows nix.buildMachines.<NAME> schema
}@args:
let
buildMachine = lib.filterAttrs (key: _: !builtins.elem key ["publicKey" "proxy"]) args; # this should have syntactic sugar: ...@buildMachine
in {
nix.buildMachines = [ buildMachine ];
programs.ssh.knownHosts.${buildMachine.hostName}.publicKey = publicKey;
programs.ssh.extraConfig = ''
Host ${buildMachine.hostName}
ConnectTimeout 3
${lib.optionalString (proxy != null) ''
ProxyJump ${proxy.user}@${proxy.host}
''}
'';
programs.ssh.knownHosts.${proxy.host or "IGNORE"} = lib.mkIf (proxy != null) { publicKey = proxy.publicKey; };
};
in {
nix.distributedBuilds = true;
# TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
# https://github.com/NixOS/nix/issues/2457
# useful when the builder has a faster internet connection than i do
nix.extraOptions = ''
builders-use-substitutes = true
'';
# TODO: can i make ^ non-string?
# TIL: this can be a list of configurations and lambdas, not just file paths
imports = builtins.map mkRemoteConfig remotes;
}

5
profiles/todos.md Normal file
View File

@ -0,0 +1,5 @@
* [ ] mv nas/default.nix nas.nix
* [ ] mv website/default.nix website.nix
* [ ] move each part into web-services, and import them as modules
* [ ] make mkDomain a function
* [ ] make ACME a function

View File

@ -11,6 +11,7 @@ in {
imports = [ imports = [
./services/pdoc.nix ./services/pdoc.nix
#../services/tt-rss.nix
]; ];
@ -22,8 +23,8 @@ in {
domain = "gitea.noximilien.pbsds.net"; domain = "gitea.noximilien.pbsds.net";
owner = "pbsds"; owner = "pbsds";
repo = "links.pbsds.net"; repo = "links.pbsds.net";
rev = "fd980f4610f8027b4fc89c506542009f09504085"; rev = "61cd605f198a22db87af087fda34c378b03d4306";
hash = "sha256-Iz/lfLkdCLJyyZ/PM9+VCkCG5lYSb9/i4x0ZhranBxc="; hash = "sha256-dx19aTy8K9xkL+cO4r4huYKrlVBZMUkDcbjqxLKe8W4=";
}; };
in { in {
#serverAliases = map mkDomain [ "links" ]; #serverAliases = map mkDomain [ "links" ];

View File

@ -85,14 +85,15 @@ let
{name="beautifulsoup4"; literal="bs4";} {name="beautifulsoup4"; literal="bs4";}
"hid" "hid"
#{name="hidapi"; literal="hid";} #{name="hidapi"; literal="hid";}
"sanic" #"sanic" # broken build?
"paramiko" "paramiko"
"pydub" "pydub"
"aiohttp" "aiohttp"
"papermill"
"rtoml" "rtoml"
"redis" "redis"
"numpy" "numpy"
"domeneshop" #"domeneshop"
"munch" "munch"
"migen" "migen"
"amaranth" "amaranth"
@ -109,7 +110,7 @@ let
"peewee" "peewee"
"parsel" "parsel"
"pandas" "pandas"
"mutmut" #"mutmut" # moved to toplevel from python3Packages
"mlflow" "mlflow"
"meshio" "meshio"
#"einops" # depends on tensorflow, which is broken ATM #"einops" # depends on tensorflow, which is broken ATM
@ -141,7 +142,7 @@ let
"asyncpg" #"aiopg" "asyncpg" #"aiopg"
{name="libsass"; literal="sass";} {name="libsass"; literal="sass";}
{name="pytorch"; literal="torch";} {name="pytorch"; literal="torch";}
{name="pytorch-lightning"; literal="pytorch_lightning";} #{name="pytorch-lightning"; literal="pytorch_lightning";} # broken build?
{name="pillow"; literal="PIL";} {name="pillow"; literal="PIL";}
"trio" "trio"
"tqdm" "tqdm"
@ -160,6 +161,7 @@ let
"imageio" "imageio"
"pygments" "pygments"
"trimesh" "trimesh"
"shapely"
#"faiss" #"faiss"
#"geomloss" #"geomloss"
#"mesh_to_sdf" #"mesh_to_sdf"

21
profiles/xrdp/default.nix Normal file
View File

@ -0,0 +1,21 @@
{ config, pkgs, lib, ... }:
{
# https://nixos.wiki/wiki/Remote_Desktop
services.xrdp.enable = true;
services.xrdp.openFirewall = true; # TCP only
services.xserver.enable = true;
services.xserver.virtualScreen = { x=1920; y=1080; }; # doesn't work?
services.xserver.tty = lib.mkDefault null;
# https://nixos.wiki/wiki/GNOME
#services.xserver.displayManager.gdm.enable = true;
services.xserver.desktopManager.gnome.enable = true;
#services.xrdp.defaultWindowManager = "gdm";
#services.xrdp.defaultWindowManager = "gnome-shell";
#services.xrdp.defaultWindowManager = "gnome-session";
services.xrdp.defaultWindowManager = "${pkgs.gnome.gnome-session}/bin/gnome-session"; # remember to `systemctl restart xrdp-sesman` if you change this
programs.dconf.enable = true;
}

View File

@ -6,6 +6,9 @@
./modules/jump.nix ./modules/jump.nix
./modules/micro.nix ./modules/micro.nix
]; ];
disabledModules = [
"programs/micro.nix"
];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
@ -73,6 +76,7 @@
vgmstream vgmstream
gallery-dl gallery-dl
yt-dlp yt-dlp
youtube-dl
ffmpeg-full ffmpeg-full
git git
@ -90,7 +94,7 @@
#tldr #tldr
entr entr
axel aria axel aria
bat bat bat-extras.batman # TODO: condition on programs.bat.enable
xe # xargs alternative xe # xargs alternative
sd # sed alternative sd # sed alternative
fd # find alternative fd # find alternative
@ -100,9 +104,12 @@
jq jq
yq yq
htmlq htmlq
just
sysz sysz
du-dust # du alternative du-dust # du alternative
ncdu # Disk usage analyzer with an ncurses interface ncdu # Disk usage analyzer with an ncurses interface
xplr # tui file explorer
aha
mesa-demos mesa-demos
cage cage
@ -112,10 +119,12 @@
librespeed-cli librespeed-cli
cachix
nix-template nix-template
nix-output-monitor nix-output-monitor
nixpkgs-review nixpkgs-review
manix manix
comma
(python3.withPackages (python-packages: with python-packages; [ (python3.withPackages (python-packages: with python-packages; [
requests requests
@ -176,6 +185,10 @@
gfr = "git pull --rebase"; gfr = "git pull --rebase";
gp = "git pull --rebase --autostash"; gp = "git pull --rebase --autostash";
# bat - TODO: condition these on programs.bat.enable ?
cat = "bat --style=plain --paging=never";
man = "batman";
python = "ptpython"; # this has too many problems... python = "ptpython"; # this has too many problems...
cpython = "python"; cpython = "python";
@ -184,6 +197,8 @@
http-server = "${pkgs.python3}/bin/python -m http.server"; http-server = "${pkgs.python3}/bin/python -m http.server";
manix-fzf = ''manix "" 2>/dev/null | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview="manix '{}'" | xargs manix''; manix-fzf = ''manix "" 2>/dev/null | grep '^# ' | sed 's/^# \(.*\) (.*/\1/;s/ (.*//;s/^# //' | fzf --preview="manix '{}'" | xargs manix'';
nixpkgs-review = ''mkdir -p /dev/shm/nixpkgs-review && ln -sfn /dev/shm/nixpkgs-review $HOME/.cache/nixpkgs-review && nixpkgs-review'';
}; };
programs.bash.enable = true; programs.bash.enable = true;
#programs.bash.enableCompletion = true; #programs.bash.enableCompletion = true;
@ -212,10 +227,28 @@
programs.exa.enable = true; programs.exa.enable = true;
programs.exa.enableAliases = true; programs.exa.enableAliases = true;
programs.direnv.enable = true; programs.direnv.enable = true;
programs.just.enable = true;
#programs.mpv.bindings #programs.mpv.bindings
#programs.mpv.config #programs.mpv.config
# TODO: implement programs.bat.enableAliases
programs.bat = {
enable = true;
themes.railscast = builtins.readFile (pkgs.fetchFromGitHub {
owner = "jeromedalbert";
repo = "sublime-text-railscasttextmate-theme";
rev = "0a4861f35e72f9ad4cc1cac42730ea563be2ffd3";
hash = "sha256-1Ml5vqP9r6oCfLhaNGPQJXS8e7utxQQycIm3Hk9wE3w=";
} + "/railscast-textmate.tmtheme");
config.theme = "railscast";
#config.style = "plain";
config.map-syntax = [
"poetry.toml:Toml"
"flake.lock:Json"
];
# only in unstable as of 22.11:
#extraPackages = with pkgs.bat-extras; [ batdiff batman batgrep batwatch ];
};
/**/ /**/
# TODO: upstream this # TODO: upstream this
programs.micro.enable = true; programs.micro.enable = true;
@ -259,13 +292,21 @@
#xdg.desktopEntries #xdg.desktopEntries
gtk.enable = true; # TODO: only if programs.dconf is enabled gtk.enable = true; # TODO: only if programs.dconf is enabled
gtk.theme.name = "vimix-dark-ruby"; #gtk.theme.name = "vimix-dark-ruby"; # TODO: keep vimix as gnome-shell theme?
gtk.theme.package = pkgs.vimix-gtk-themes; #gtk.theme.package = pkgs.vimix-gtk-themes;
gtk.theme.name = "Colloid-Dark";
gtk.theme.package = pkgs.colloid-gtk-theme;
gtk.iconTheme.name = "Flat-Remix-Blue-Dark"; gtk.iconTheme.name = "Flat-Remix-Blue-Dark";
gtk.iconTheme.package = pkgs.flat-remix-icon-theme; gtk.iconTheme.package = pkgs.flat-remix-icon-theme;
dconf.settings."org/gnome/desktop/background" = {
"picture-uri" = "file:///mnt/reidun/Images/Wallpapers/1575232313831.jpg";
"picture-uri-dark" = "file:///mnt/reidun/Images/Wallpapers/1575232313831.jpg";
};
# TODO: upstream?
programs.jump.enableBash = true; programs.jump.enableBash = true;
/** /
programs.beets = { programs.beets = {
enable = true; enable = true;
settings = { settings = {
@ -278,5 +319,6 @@
##library = "/mnt/meconium/beets_music/data.db"; ##library = "/mnt/meconium/beets_music/data.db";
}; };
}; };
/**/
} }